TryHackMe Advent of Cyber 4→ DAY 3
As the elves are trying to recover the compromised santagift.shop website, elf Recon McRed is trying to figure out how it was compromised in the first place. Can you help him in gathering open-source information against the website?
Objectives of DAY 3
- What is OSINT, and what techniques can extract useful information against a website or target?
- Using dorks to find specific information on the Google search engine
- Extracting hidden directories through the Robots.txt file
- Domain owner information through WHOIS lookup
- Searching data from hacked databases
- Acquiring sensitive information from publicly available GitHub repositories
What is OSINT?
OSINT is gathering and analysing publicly available data for intelligence purposes, which includes information collected from the internet, mass media, specialist journals and research, photos, and geospatial information. The information can be accessed via the open internet (indexed by search engines), closed forums (not indexed by search engines) and even the deep and dark web. People tend to leave much information on the internet that is publicly available and later on results in impersonation, identity theft etc.
More about OSINT and the techniques coming soon!!
OSINT techniques talked about in this task are :-
- Google Dorking
- WHOIS Lookup
- robots.txt
- Breached Database Search (have i been pwnd)
- Github Dorking
Let us start with the DAY 3 Tasks right away!
Q1 What is the name of the Registrar for the domain santagift.shop?
We have to simply do a whois lookup → whois
This is what the output looks like!
Q2 Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
We have to find the source code of this website on github, so we can simply go on github.com and search for santa gift shop and it shows us the repository!
Now we have to look for the flag! The question says to look for it in a file containing sensitive credentials. Generally, config.php holds all the information as it is the main configuration file.
Let us look into the config.php file.
The flag is right there!
Q3 What is the name of the file containing passwords?
Answer :- If you followed everything I said, in what file can see the sensitive credentials in that file!
Q4 What is the name of the QA server associated with the website?
With OSINT the most important thing is being able to put 2 and 2 together. We should be able to read everything, process all the information that we get access to and try to find small things written in comments or coded into variables.
Q5 What is the DB_PASSWORD that is being reused between the QA and PROD environments?
Answer :- Going through the config.php file we can see all the senstive information and right there is the password!
We are going to cover the full Advent of Cyber event again just like last year!
Follow us for more Writeups and Stories!!
